Steps for enabling support for large CRLs

Perform the following steps to enable support for CRLs larger than the limit of approximately 32KB.

1. Configure a z/OS file system to hold CRLs. If you run multiple instances of PKI Services in a Parallel Sysplex® (one per image), ensure that the file system is shared with each PKI Services instance in the sysplex. For information about managing the z/OS UNIX file system, see z/OS UNIX System Services Planning.

   _______________________________________________________________

2. Set the value of the LargeCRLPostPath parameter in the CertPolicy section of the PKI Services configuration file, pkiserv.conf, to the full path of the var directory where PKI Services is to save each CRL for posting to LDAP. The default value is /var/pkiserv/. You can specify the value with or without the trailing slash. The value of LargeCRLPostPath can be the same as the value of CRLDistDirPath.

   Guideline: If you are customizing this value for a CA domain, specify a directory name that contains the CA domain name, for example /var/pkiserv/employees/, where employees is the domain name.

   _______________________________________________________________

3. Set the value of the EnableLargeCRLPosting parameter in the CertPolicy section of the PKI Services configuration file, pkiserv.conf, to T.

   _______________________________________________________________

4. Restart PKI Services. Your changes to the pkiserv.conf file do not take effect until you do this. For information about starting PKI Services see Starting and stopping PKI Services.

   _______________________________________________________________